rack-protection 0.1.0 → 1.5.5

data/rack-protection.gemspec

@@ -2,19 +2,74 @@
 Gem::Specification.new do |s|
   # general infos
   s.name        = "rack-protection"
-  s.version     = "0.1.0"
+  s.version     = "1.5.5"
   s.description = "You should use protection!"
   s.homepage    = "http://github.com/rkh/rack-protection"
   s.summary     = s.description
+  s.license     = 'MIT'
 
   # generated from git shortlog -sn
   s.authors = [
-    "Konstantin Haase"
+    "Konstantin Haase",
+    "Alex Rodionov",
+    "Patrick Ellis",
+    "Jason Staten",
+    "ITO Nobuaki",
+    "Jeff Welling",
+    "Matteo Centenaro",
+    "Egor Homakov",
+    "Florian Gilcher",
+    "Fojas",
+    "Igor Bochkariov",
+    "Mael Clerambault",
+    "Martin Mauch",
+    "Renne Nissinen",
+    "SAKAI, Kazuaki",
+    "Stanislav Savulchik",
+    "Steve Agalloco",
+    "TOBY",
+    "Thais Camilo and Konstantin Haase",
+    "Vipul A M",
+    "Akzhan Abdulin",
+    "brookemckim",
+    "Bj\u{f8}rge N\u{e6}ss",
+    "Chris Heald",
+    "Chris Mytton",
+    "Corey Ward",
+    "Dario Cravero",
+    "David Kellum"
   ]
 
   # generated from git shortlog -sne
   s.email = [
-    "konstantin.mailinglists@googlemail.com"
+    "konstantin.mailinglists@googlemail.com",
+    "p0deje@gmail.com",
+    "jstaten07@gmail.com",
+    "patrick@soundcloud.com",
+    "jeff.welling@gmail.com",
+    "bugant@gmail.com",
+    "daydream.trippers@gmail.com",
+    "florian.gilcher@asquera.de",
+    "developer@fojasaur.us",
+    "ujifgc@gmail.com",
+    "mael@clerambault.fr",
+    "martin.mauch@gmail.com",
+    "rennex@iki.fi",
+    "kaz.july.7@gmail.com",
+    "s.savulchik@gmail.com",
+    "steve.agalloco@gmail.com",
+    "toby.net.info.mail+git@gmail.com",
+    "dev+narwen+rkh@rkh.im",
+    "vipulnsward@gmail.com",
+    "akzhan.abdulin@gmail.com",
+    "brooke@digitalocean.com",
+    "bjoerge@bengler.no",
+    "cheald@gmail.com",
+    "self@hecticjeff.net",
+    "coreyward@me.com",
+    "dario@uxtemple.com",
+    "dek-oss@gravitext.com",
+    "homakov@gmail.com"
   ]
 
   # generated from git ls-files
@@ -29,6 +84,7 @@ Gem::Specification.new do |s|
     "lib/rack/protection/escaped_params.rb",
     "lib/rack/protection/form_token.rb",
     "lib/rack/protection/frame_options.rb",
+    "lib/rack/protection/http_origin.rb",
     "lib/rack/protection/ip_spoofing.rb",
     "lib/rack/protection/json_csrf.rb",
     "lib/rack/protection/path_traversal.rb",
@@ -39,9 +95,11 @@ Gem::Specification.new do |s|
     "lib/rack/protection/xss_header.rb",
     "rack-protection.gemspec",
     "spec/authenticity_token_spec.rb",
+    "spec/base_spec.rb",
     "spec/escaped_params_spec.rb",
     "spec/form_token_spec.rb",
     "spec/frame_options_spec.rb",
+    "spec/http_origin_spec.rb",
     "spec/ip_spoofing_spec.rb",
     "spec/json_csrf_spec.rb",
     "spec/path_traversal_spec.rb",
@@ -55,7 +113,6 @@ Gem::Specification.new do |s|
 
   # dependencies
   s.add_dependency "rack"
-  s.add_dependency "escape_utils"
   s.add_development_dependency "rack-test"
   s.add_development_dependency "rspec", "~> 2.0"
 end

data/spec/authenticity_token_spec.rb

@@ -30,4 +30,19 @@ describe Rack::Protection::AuthenticityToken do
   it "prevents ajax requests without a valid token" do
     post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
   end
+
+  it "allows for a custom authenticity token param" do
+    mock_app do
+      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
+
+  it "sets a new csrf token for the session in env, even after a 'safe' request" do
+    get('/', {}, {})
+    env['rack.session'][:csrf].should_not be_nil
+  end
 end

data/spec/base_spec.rb

@@ -0,0 +1,40 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::Base do
+
+  subject { described_class.new(lambda {}) }
+
+  describe "#random_string" do
+    it "outputs a string of 32 characters" do
+      subject.random_string.length.should == 32
+    end
+  end
+
+  describe "#referrer" do
+    it "Reads referrer from Referer header" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/valid"}
+      subject.referrer(env).should == "bar.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is relative" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "/valid"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Reads referrer from Host header when Referer header is missing" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.referrer(env).should == "foo.com"
+    end
+
+    it "Returns nil when Referer header is missing and allow_empty_referrer is false" do
+      env = {"HTTP_HOST" => "foo.com"}
+      subject.options[:allow_empty_referrer] = false
+      subject.referrer(env).should be_nil
+    end
+
+    it "Returns nil when Referer header is invalid" do
+      env = {"HTTP_HOST" => "foo.com", "HTTP_REFERER" => "http://bar.com/bad|uri"}
+      subject.referrer(env).should be_nil
+    end
+  end
+end

data/spec/escaped_params_spec.rb

@@ -30,5 +30,14 @@ describe Rack::Protection::EscapedParams do
       get '/', :foo => {:bar => "<bar>"}
       body.should == '&lt;bar&gt;'
     end
+
+    it 'leaves cache-breaker params untouched' do
+      mock_app do |env|
+        [200, {'Content-Type' => 'text/plain'}, ['hi']]
+      end
+
+      get '/?95df8d9bf5237ad08df3115ee74dcb10'
+      body.should == 'hi'
+    end
   end
 end

data/spec/frame_options_spec.rb

@@ -3,8 +3,12 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 describe Rack::Protection::FrameOptions do
   it_behaves_like "any rack application"
 
-  it 'should set the X-XSS-Protection' do
-    get('/').headers["X-Frame-Options"].should == "sameorigin"
+  it 'should set the X-Frame-Options' do
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "SAMEORIGIN"
+  end
+
+  it 'should not set the X-Frame-Options for other content types' do
+    get('/', {}, 'wants' => 'text/foo').headers["X-Frame-Options"].should be_nil
   end
 
   it 'should allow changing the protection mode' do
@@ -14,11 +18,22 @@ describe Rack::Protection::FrameOptions do
       run DummyApp
     end
 
-    get('/').headers["X-Frame-Options"].should == "deny"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "DENY"
+  end
+
+
+  it 'should allow changing the protection mode to a string' do
+    # I have no clue what other modes are available
+    mock_app do
+      use Rack::Protection::FrameOptions, :frame_options => "ALLOW-FROM foo"
+      run DummyApp
+    end
+
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "ALLOW-FROM foo"
   end
 
   it 'should not override the header if already set' do
     mock_app with_headers("X-Frame-Options" => "allow")
-    get('/').headers["X-Frame-Options"].should == "allow"
+    get('/', {}, 'wants' => 'text/html').headers["X-Frame-Options"].should == "allow"
   end
 end

data/spec/http_origin_spec.rb

@@ -0,0 +1,38 @@
+require File.expand_path('../spec_helper.rb', __FILE__)
+
+describe Rack::Protection::HttpOrigin do
+  it_behaves_like "any rack application"
+
+  before(:each) do
+    mock_app do
+      use Rack::Protection::HttpOrigin
+      run DummyApp
+    end
+  end
+
+  %w(GET HEAD POST PUT DELETE).each do |method|
+    it "accepts #{method} requests with no Origin" do
+      send(method.downcase, '/').should be_ok
+    end
+  end
+
+  %w(GET HEAD).each do |method|
+    it "accepts #{method} requests with non-whitelisted Origin" do
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should be_ok
+    end
+  end
+
+  %w(POST PUT DELETE).each do |method|
+    it "denies #{method} requests with non-whitelisted Origin" do
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should_not be_ok
+    end
+
+    it "accepts #{method} requests with whitelisted Origin" do
+      mock_app do
+        use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://www.friend.com']
+        run DummyApp
+      end
+      send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://www.friend.com').should be_ok
+    end
+  end
+end

data/spec/json_csrf_spec.rb

@@ -12,6 +12,14 @@ describe Rack::Protection::JsonCsrf do
       get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
     end
 
+    it "accepts requests with json responses with a remote referrer when there's an origin header set" do
+      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
+    end
+
+    it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
+      get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
+    end
+
     it "accepts get requests with json responses with a local referrer" do
       get('/', {}, 'HTTP_REFERER' => '/').should be_ok
     end
@@ -19,5 +27,32 @@ describe Rack::Protection::JsonCsrf do
     it "accepts get requests with json responses with no referrer" do
       get('/', {}).should be_ok
     end
+
+    it "accepts XHR requests" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+    end
+
+  end
+
+  describe 'not json response' do
+
+    it "accepts get requests with 304 headers" do
+      mock_app { |e| [304, {}, []]}
+      get('/', {}).status.should == 304
+    end
+
+  end
+
+  describe 'with drop_session as default reaction' do
+    it 'still denies' do
+      mock_app do
+        use Rack::Protection, :reaction => :drop_session
+        run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
+      end
+
+      session = {:foo => :bar}
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
+      last_response.should_not be_ok
+    end
   end
 end

data/spec/path_traversal_spec.rb

@@ -14,10 +14,28 @@ describe Rack::Protection::PathTraversal do
 
     { # yes, this is ugly, feel free to change that
       '/..' => '/', '/a/../b' => '/b', '/a/../b/' => '/b/', '/a/.' => '/a/',
-      '/%2e.' => '/', '/a/%2e%2e/b' => '/b', '/a%2f%2e%2e%2fb/' => '/b/',
-      '//' => '/', '/%2fetc%2fpasswd' => '/etc/passwd'
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/b', '/a%2f%2E%2e%2Fb/' => '/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
     }.each do |a, b|
       it("replaces #{a.inspect} with #{b.inspect}") { get(a).body.should == b }
     end
+
+    it 'should be able to deal with PATH_INFO = nil (fcgi?)' do
+      app = Rack::Protection::PathTraversal.new(proc { 42 })
+      app.call({}).should be == 42
+    end
+  end
+
+  if "".respond_to?(:encoding)  # Ruby 1.9+ M17N
+    context "PATH_INFO's encoding" do
+      before do
+        @app = Rack::Protection::PathTraversal.new(proc { |e| [200, {'Content-Type' => 'text/plain'}, [e['PATH_INFO'].encoding.to_s]] })
+      end
+
+      it 'should remain unchanged as ASCII-8BIT' do
+        body = @app.call({ 'PATH_INFO' => '/'.encode('ASCII-8BIT') })[2][0]
+        body.should == 'ASCII-8BIT'
+      end
+    end
   end
 end

data/spec/protection_spec.rb

@@ -2,4 +2,104 @@ require File.expand_path('../spec_helper.rb', __FILE__)
 
 describe Rack::Protection do
   it_behaves_like "any rack application"
+
+  it 'passes on options' do
+    mock_app do
+      use Rack::Protection, :track => ['HTTP_FOO']
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
+    session[:foo].should be == :bar
+
+    get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
+    session.should be_empty
+  end
+
+  it 'passes errors through if :reaction => :report is used' do
+    mock_app do
+      use Rack::Protection, :reaction => :report
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, [e["protection.failed"].to_s]] }
+    end
+
+    session = {:foo => :bar}
+    post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
+    last_response.should be_ok
+    body.should == "true"
+  end
+
+  describe "#react" do
+    it 'prevents attacks and warns about it' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /prevented.*Origin/
+    end
+
+    it 'reports attacks if reaction is to report' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /reported.*Origin/
+      io.string.should_not match /prevented.*Origin/
+    end
+
+    it 'passes errors to reaction method if specified' do
+      io = StringIO.new
+      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
+      mock_app do
+        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /HTTP_ORIGIN.*malicious.com/
+      io.string.should_not match /reported|prevented/
+    end
+  end
+
+  describe "#html?" do
+    context "given an appropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }
+      it { should be_true }
+    end
+
+    context "given an inappropriate content-type header" do
+      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "image/gif" }
+      it { should be_false }
+    end
+
+    context "given no content-type header" do
+      subject { Rack::Protection::Base.new(nil).html?({}) }
+      it { should be_false }
+    end
+  end
+
+  describe "#instrument" do
+    let(:env) { { 'rack.protection.attack' => 'base' } }
+    let(:instrumenter) { double('Instrumenter') }
+
+    after do
+      app.instrument(env)
+    end
+
+    context 'with an instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil, :instrumenter => instrumenter) }
+
+      it { instrumenter.should_receive(:instrument).with('rack.protection', env) }
+    end
+
+    context 'with no instrumenter specified' do
+      let(:app) { Rack::Protection::Base.new(nil) }
+
+      it { instrumenter.should_not_receive(:instrument) }
+    end
+  end
 end

data/spec/session_hijacking_spec.rb

@@ -17,11 +17,12 @@ describe Rack::Protection::SessionHijacking do
     session.should be_empty
   end
 
-  it "denies requests with a changing Accept-Encoding header" do
+  it "accepts requests with a changing Accept-Encoding header" do
+    # this is tested because previously it led to clearing the session
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
     get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should be_empty
+    session.should_not be_empty
   end
 
   it "denies requests with a changing Accept-Language header" do
@@ -31,10 +32,24 @@ describe Rack::Protection::SessionHijacking do
     session.should be_empty
   end
 
-  it "denies requests with a changing Version header"do
+  it "accepts requests with the same Accept-Language header" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    session.should_not be_empty
+  end
+
+  it "comparison of Accept-Language header is not case sensitive" do
+    session = {:foo => :bar}
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
+    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
+    session.should_not be_empty
+  end
+
+  it "accepts requests with a changing Version header"do
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
     get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
-    session.should be_empty
+    session[:foo].should == :bar
   end
 end

data/spec/spec_helper.rb

@@ -1,5 +1,6 @@
 require 'rack/protection'
 require 'rack/test'
+require 'rack'
 require 'forwardable'
 require 'stringio'
 
@@ -21,10 +22,15 @@ if version == "1.3"
   end
 end
 
+unless Rack::MockResponse.method_defined? :header
+  Rack::MockResponse.send(:alias_method, :header, :headers)
+end
+
 module DummyApp
   def self.call(env)
     Thread.current[:last_env] = env
-    [200, {'Content-Type' => 'text/plain'}, ['ok']]
+    body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
+    [200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
   end
 end
 

data/spec/xss_header_spec.rb

@@ -4,7 +4,15 @@ describe Rack::Protection::XSSHeader do
   it_behaves_like "any rack application"
 
   it 'should set the X-XSS-Protection' do
-    get('/').headers["X-XSS-Protection"].should == "1; mode=block"
+    get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"].should == "1; mode=block"
+  end
+
+  it 'should set the X-XSS-Protection for XHTML' do
+    get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"].should == "1; mode=block"
+  end
+
+  it 'should not set the X-XSS-Protection for other content types' do
+    get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"].should be_nil
   end
 
   it 'should allow changing the protection mode' do
@@ -14,11 +22,35 @@ describe Rack::Protection::XSSHeader do
       run DummyApp
     end
 
-    get('/').headers["X-XSS-Protection"].should == "1; mode=foo"
+    get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"].should == "1; mode=foo"
   end
 
   it 'should not override the header if already set' do
     mock_app with_headers("X-XSS-Protection" => "0")
-    get('/').headers["X-XSS-Protection"].should == "0"
+    get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"].should == "0"
+  end
+
+  it 'should set the X-Content-Type-Options' do
+    get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+
+  it 'should set the X-Content-Type-Options for other content types' do
+    get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    get('/').headers["X-Content-Type-Options"].should be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"].should == "sniff"
   end
 end